How to cause a DoS in Windows 8 explorer.exe

lunes, 30 de septiembre de 2013

We have discovered by accident how to cause
a Denial of Service (DoS) in Windows 8. It’s a little bug that is present in
the last version of the operating system. Since we alerted Microsoft first and
they didn’t consider it a real security problem that could be attacked we’re
documenting it as an anecdote.

Explorer.exe is a very important service in
Windows. It’s in charge of painting the desktop and gives the security tokens
to the programs that are in the same environment. It’s of vital importance that
it’s running in every moment, hence if the process dies for some reason, the
operating system itself will recover it automatically.

Seemingly, in Windows 8, explorer.exe
doesn’t handle correctly an exception that is thrown when dealing with digital
certificates and it forces it to close and launch again. This problem also
affects other programs that use the same internal API that processes ASN.1
structures. For example, any program that uses .NET and processes the
“signedInfo” field of a signature.

These are steps to reproduce the problem:

Have a signed binary (DLL or
EXE) at hand. Any binary is valid if it’s signed.

Fill the last section of the
PKCS structure with zeroes or random values. For example 256 bytes of “00”.

A part of the signature filled with 00s

In this example we’ve overwritten part of
the information regarding the countersignature as we can observe when opening
the ASN.1 structure with a different program. We haven’t tested exactly which
part causes the problem when being overwritten.

On the left, altered ASN.1 structure, on the right, unaltered structure.

If we overwrite other kind of information
Windows will simply think that the binary isn’t signed and won’t show the
“Digital signatures” tab in the properties dialog.

Using Explorer to access the
“Digital signatures” tab will crash explorer.exe with an unhandled exception.
Other programs like “Total commander” also crash in the attempt of showing the
certificate. This bug is only present in Windows 8. The same proof of concept
in Windows XP/7 only tricks the system to show the “Digital signatures” tab
without any info to display. This isn’t normal either (the tab shouldn’t be
visible) but at least it doesn’t kill the process.

Other programs that check the signature
such as sigcheck or signtool are not affected.

In theory this can be related to the change
of design. In Windows 7 and XP the email of the signer is shown in the “Digital
signatures” information tab. In Windows 8 the hash is being shown. We suppose
that they became aware that very few signers include the email in the
signature, and this field was usually blank.

On the left, properties of a signed file in Windows 7. On the right, in Windows 8.

A quick analysis results in our hypothesis
that it’s difficult to take advantage of the bug to run arbitrary code. MSRT
confirms us that it is more like a bug and not a real security problem.